Methods, communication systems and mobile routers for routing data packets from a moving network to a home network of the moving network

ABSTRACT

The present invention aims at making it possible for a data packet originating from a mobile network node ( 102, 103 ) in a moving network ( 101 ) to be routed over any of a number of external accesses ( 111, 112 ) accessible from different mobile routers ( 104, 105 ) in the moving network to home networks ( 115, 117 ) related to the moving network, for the case where the mobile routers advertise different address prefixes to the mobile network nodes. When a mobile router ( 104 ) advertising a first address prefix receives a data packet associated with a source address with the first address prefix, and the mobile router selects, for routing to a home network, an external access ( 112 ) accessible from another mobile router ( 105 ) advertising a second access prefix, the mobile router will: detect that the source address of the data packet has an address prefix different to the second address prefix, provide the data packet with a different source address having the second address prefix, and transmit the data packet to the other mobile router for subsequent transmission via the selected external access ( 112 ) to a home network ( 117 ) of the moving network.

FIELD OF THE INVENTION

The present invention relates to communication systems, methods andmobile routers for routing data packets from a moving network to a homenetwork, and more particularly it relates to methods, communicationsystems and mobile routers for routing data packets from a movingnetwork which has more than one mobile router, each mobile router havingaccess to at least one external access, to a home agent of any of themobile routers.

BACKGROUND

This document deals with mobility for a moving network, which is definedas a network that is movable in relation to its home network. A movingnetwork can change its point of attachment to a fixed infrastructure orit may have many points of attachment to a fixed infrastructure, but itis still able to communicate with a home network through a mobile routerhaving access to an external access through which all communicationnodes in the moving network can communicate. Such a communication nodein a moving network is called a moving network node. In the case of amoving network on e.g. an airplane, the moving network will comprisecommunication nodes, which may be different users' communicationdevices, such as laptops, mobile phones, PDAs (Personal DigitalAssistants) etc., which communication nodes communicate wireless orwireline with a mobile router within the airplane, such that allcommunication destined to an external address will pass via the mobilerouter. A moving network may also be e.g. a Personal Area Network (PAN),wherein a PAN comprises all communication devices belonging to a userand situated within short range radio communication distance from eachother. In this document, each node in the moving network or connected tothe moving network that works like a router for data originating from amoving network node and destined to an address external of the movingnetwork is defined as a mobile router. Examples of such mobile routersare: a PAN device working as a router in a PAN, and a router in a movingnetwork on a vehicle. Note that a node may have both roles, i.e. beingboth a moving network node and a mobile router, for example a PAN devicesuch as a mobile phone in a PAN.

“The Network Mobility (NEMO) Basic Support Protocol”, by Devarapalli etal, published January 2005 as a Request For Comments 3963 by theInternet Engineering Task Force, identifies a protocol that enables amoving network to attach to different points in the Internet. Theprotocol is an extension of Mobile IPv6, and allows session continuityfor every communication node (or communication device) in the movingnetwork as the moving network moves. It allows a mobile router tomaintain a stable network address prefix for a moving network, even asthe mobile router changes its, and thus the moving network's, point ofattachment to a fixed network infrastructure. This prefix stability isachieved through a solution similar to the mobile IPv6 solution, i.e. bymaking a home agent (HA) in the home network of the mobile router afixed point of attachment for the Mobile Router (MR) and maintainingconnectivity between the HA and the MR through a tunnel. The addressprefix, which is called Mobile network prefix (MNP) in the NEMOprotocol, is allocated from the address range of the home network, andcan thus remain the same even as the MR and its network move. When theMR attaches to a network in a new location, it acquires a new care-ofaddress in the new network, which care-of address is used to locate theMR in the new network, but its home address and address prefix areunchanged. However, just like in Mobile IPv6 the MR has to register itsnew care-of address in the HA in order to maintain the tunnel betweenthe Mobile Router and the Home Agent.

If, in the current NEMO solution, a bad tunnel is experienced, it willbe replaced by a new tunnel by performing a new registration with theHA, this time with a different care-of address, unless the tunnel isre-established through the same interface and point of attachment, andpossibly configured on a different interface, depending on the nature ofthe tunnel problems. If a communication node could get Internet accessthrough multiple access media simultaneously, i.e. the moving networkcould have multiple tunnels established simultaneously, a data flowcould be moved from a bad tunnel to a good tunnel much quicker than ifonly one tunnel at a time can be established. Also, for matters of cost,bandwidth, delay etc. it could be useful for a communication node to getInternet access through multiple simultaneous tunnels. However, the NEMObasic support protocol does not allow this because it allows only asingle care-of address to be registered in the Home Agent (HA) for acertain Mobile Router (MR) at any one time. Multiple simultaneouscare-of addresses are not allowed and thus multiple simultaneousaccesses and MR-HA tunnels are not possible for a MR.

Although, such a procedure for managing different external accessresources simultaneously accessible by a mobile router in a movingnetwork is suggested in the co-pending patent applicationPCT/SE2004/001578 by the same applicant. For this reason, a tunnel isset up over each of the different external access resources availablefrom the mobile router such that the external accesses aresimultaneously accessible. To be able to fully make use of the differentexternal access resources, this procedure suggests that the mobilerouter controls the use of the different external access resources fordata packets sent between the mobile router and the home agent of themobile router. To achieve this, the mobile router classifies a datapacket based on information in the packet and selects an access resourcefor sending the packet based on the classification and on information ofthe different external access resources.

The procedure described above only discusses a moving network having onemobile router with a plurality of external access possibilities.Although, it may happen that all external accesses present in an areaare not handled by one and the same mobile router. For example, on atrain there may be a fixed mobile router mounted in eachrailway-carriage. Also, for technical reasons, different externalaccesses may not be handled by the same mobile router. Therefore, to beable to give the moving network nodes in a moving network the ability touse all external accesses that are present in an area, a procedure formanaging different external access resources simultaneously accessibleby more than one mobile router in a moving network is suggested in theco-pending patent application PCT/SE2004/001994 by the same applicant.

In the procedure described in PCT/2004/001994, the more than one mobilerouters forward traffic between each other so that the correct access isused independently of how the mobile network nodes behave. In thisprocedure, the same mobile network prefix (MNP), i.e. address prefix, isused by all mobile routers in the moving network. This is the case forexample when the mobile routers have the same home network, e.g. samehome agent in the same home network.

Although, in some cases it may happen that the moving network hasmultiple MRs but they are unsynchronized with regards to address prefixmanagement. This means that an MR may be assigned an address prefix orMNP different from what another MR in the same moving network is using.The MRs may connect to the same or to different HAs. The MRs areassigned different address prefixes from their HAs and they advertisethem into the moving network. Although, it is still of interest to beable to use all external access of the moving network for all MNNs. Thefocus of the solution is to let the MRs perform external accessselection for the flows of the MNNs in the most flexible manner.Therefore, it would be desirable if it would be possible to use any ofthe external accesses accessible from any of the MRs for routing datapackets originating from any of the MNNs to a home agent of the movingnetwork, also in the case where the MRs in the moving network areunsynchronized with regards to prefix management (e.g. they areallocated different prefixes).

The term flow or data flow used in the application is a loose term for aconnection between two end nodes. A flow between a first and a secondend node may have two directions: from the first node to the second nodeand vice versa. Thus, in the application, a data flow comprises anuplink part and a downlink part, wherein the uplink part is in thedirection from the moving network node to the home agent (and further tothe correspondent node), and the downlink part is in the direction fromthe home agent to the moving network node. A TCP (Transmission ControlProtocol) connection is typically seen as a flow. A node can havemultiple flows towards different correspondent nodes and also multipleflows towards the same correspondent node. Each flow comprises datapackets. A flow is typically defined by the source and destination IPaddresses and port numbers, plus the transport protocol in use, such asTCP or UDP (User Datagram Protocol). It is also possible to insteaddefine a flow by its flow label (in IPv6) or its SPI (Security ParameterIndex) together with the source and destination IP addresses, and theprotocol in case of the SPI. The flow label is more specific than theport numbers and should have precedence over them. The SPI is used inIPsec (IP security as defined in RFC 2401 “Security Architecture for theInternet Protocol”), together with the destination IP address and theprotocol to identify the security association, and the SPI-destinationaddress-protocol triplet is typically used as a (unidirectional) flowidentifier when the packet is encrypted and the port numbers are visibleonly to the receiving end-node.

The term external access or link defines one possible way of gettingexternal access from the moving network. Each external access does nothave to be of different types, although this is the most natural case.It may be possible that two external accesses are of the same type butdiffer in terms of e.g. current load or operator. There is one (primary)tunnel established between a Mobile Router and a Home Agent per externalaccess.

The term Home Agent used in the application should be interpreted as anynode in a home network working like a mobile anchor point to the movingnetwork, i.e. facilitating communication from the moving network over anexternal network and the home network, such that the present inventioncan be used.

SUMMARY

An object of the present invention is to make it possible for a datapacket originating from a mobile network node in a moving network to berouted over any of a number of external accesses accessible fromdifferent mobile routers in the moving network to home network(s)related to the moving network, for the case where some of the mobilerouters advertise different address prefixes to the mobile networknodes.

The above object is achieved by a method, a system, a mobile router anda computer program product set forth in the characterizing part of theindependent claims.

According to a first aspect of the invention, a method in acommunication system is provided for routing data packets, said datapackets originating from a moving network node in a moving network, froma mobile router of the moving network to a home agent in a home networkrelated to the moving network. A first mobile router of the movingnetwork has ability to access a first external access over which firstexternal access a primary tunnel is set up to a home agent of the firstmobile router. The moving network also has a second mobile router, whichhas ability to access at least one other external access, over each ofthe at least one other external access one primary tunnel is set up to ahome agent of the second mobile router. The first mobile routeradvertises a first address prefix, and the second mobile routeradvertises a second address prefix, and a data packet originating fromthe moving network node is associated with a source address having thefirst address prefix. The method comprising the steps of:

-   -   selecting an external access of said at least one other external        access for routing the data packet to the home agent of the        second mobile router;    -   detecting that the source address associated with the data        packet has an address prefix different to the address prefix        advertised by the second mobile router;    -   providing the data packet with a different source address usable        for routing the data packet to the home agent of the second        mobile router, which different source address has the second        address prefix; and    -   transmitting the data packet via the selected external access to        the home agent of the second mobile router.

According to a first embodiment of the invention, a solution usingsecondary tunnels from the first mobile router via the second mobilerouter and the home agent of the second mobile router to the home agentof the first mobile router is provided. In this first embodiment, thedata packet is provided with a different source address by adding anaddress related to the first mobile router to the data packet, saidaddress related to the first mobile router having the second addressprefix. The packet is then transmitted with the address related to thefirst mobile router through the secondary tunnel to the first mobilerouter.

According to a second embodiment of the invention, a solution usingaddress translation functions in the mobile routers is provided. In thissecond embodiment, the data packet is provided with a different sourceaddress by translating the source address associated with the datapacket to a second source address having the second address prefix.

An advantage of the present invention is that it increases throughputfrom and to a moving network since it makes it possible to use allexternal accesses available from the moving network, regardless of whichmobile router that provides the access. Thereby, more redundancy is alsoachieved.

Another advantage of the invention is that the traffic from and to themoving network can be more flexibly load-balanced over the differentexternal accesses.

A further advantage of the invention is that no changes or additions tothe mobile network nodes are required. Instead, new features orrequirements of the invention are placed on the mobile routers, or, insome embodiments, on other nodes in the communication system. Thereby,also legacy devices could be used as mobile network nodes with theinvention.

A still further advantage of the invention is that it provides supportfor uncoordinated Mobile Network Prefixes among the MRs while stillhonouring ingress filtering rules.

Yet another advantage is that it provides support for multiple mobilerouters having different home agents.

More advantages of the invention will be apparent when reading theapplication.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention will in the following be described in more detail withreference to enclosed drawings, wherein:

FIG. 1 describes a schematic block diagram of a communication systemwherein the present invention may be used, the communication systemcomprising a Vehicle Area Network (VAN);

FIG. 2 shows a schematic block diagram of another communication systemwherein the present invention may be used, the communication systemcomprising a Personal Area Network (PAN);

FIG. 3 shows a schematic block diagram of a communication system whereinthe present invention may be used, including arrows illustrating howaddress prefixes are delegated and advertised in the communicationsystem;

FIG. 4 describes a schematic block diagram of a first embodiment of theinvention used in a communication system;

FIG. 5 describes a flow chart according to the first embodiment of theinvention;

FIG. 6 illustrates a schematic block diagram of a first alternative ofthe first embodiment of the invention;

FIG. 7 illustrates a schematic block diagram of a second alternative ofthe first embodiment of the invention;

FIG. 8 shows a schematic block diagram of a first alternative of asecond embodiment of the invention;

FIG. 9 illustrates a schematic block diagram of a second alternative ofthe second embodiment of the invention;

FIG. 10 shows a flow chart according to the second embodiment of theinvention;

FIG. 11 shows a schematic block diagram of a mobile router according tothe invention.

DETAILED DESCRIPTION

The present invention will be described more fully hereinafter withreference to the accompanying drawings, in which preferred embodimentsof the invention are shown. This invention may, however, be embodied inmany different forms and should not be construed as limited to theembodiments set forth herein; rather, these embodiments are provided sothat this disclosure will be thorough and complete, and will fullyconvey the scope of the invention to those skilled in the art. In thedrawings, like numbers refer to like elements.

FIG. 1 shows a schematic block diagram of an exemplary communicationsystem wherein the present invention can be used. The system has aVehicle Area Network (VAN) 201 which is an example of a moving networkfor which the present invention can be used. The VAN 201 is in this casesituated on a train 200, which may be moving. The VAN may be some sortof switched Ethernet that may have either Ethernet ports 202 or WLANaccess points 203 or a combination of Ethernet ports and WLAN accesspoints (as shown in the figure). Moving network nodes (MNNs) 205, 206may connect to an Ethernet port or to a WLAN access point. The movingnetwork nodes may be any communication node such as laptops or mobilephones belonging to persons travelling on the train. The exemplary VANalso has a first and a second Mobile Router (MR) 204, 207 which act asdefault gateways for the MNNs inside the vehicle, such that a datapacket sent from a moving network and directed to an external networkaddress can be sent via any of the mobile routers. The mobile routers204, 207 are responsible for mobility management for the entire VAN 201,i.e. mobility management is totally transparent to the MNNs 205, 206entering the vehicle. This means that no new requirements are put on theMNNs when joining the VAN. In this figure, the first and the secondmobile router have the same home agent 215 in the same home network.Although, it may be possible that the first and the second mobilerouters have different home agents that can reside in the same homenetwork or in different home networks. Of course, it is also possible tohave more than two mobile routers offering external access. Earliersolutions have catered for the case where the mobile routers have thesame address prefix from the address range of the home network. Thisinvention caters for the case where the mobile routers have differentaddress prefixes. For the purpose of routing packets destined to anexternal network address, the first and the second mobile router 204,207 have external accesses for the VAN comprising one or severaldifferent access networks. In FIG. 3 the first mobile router 204 has twoexternal accesses, a first external access via a Wideband Code DivisionMultiple Access (WCDMA) network 213 and a second external access via asatellite radio communication network 212. The second mobile router 207has one external access via a General Packet Radio Service (GPRS)network 211. Each of these access networks is available viageographically distributed access points belonging to each accessnetwork, as is well known in the art. One or several of these accessnetworks can be available at the same time depending on for instancecoverage and operator policies. FIG. 1 also shows a Home Agent (HA) 216in a home network 215, which in the example is the home network for boththe first mobile router 204 and the second mobile router 207. Datapackets from any of the MNNs and destined for e.g. a correspondent nodein a foreign network is routed via any of the access networks, an IPnetwork 214 and via the home agent 216 in the home network 215. For thispurpose, a first tunnel is set up from the first mobile router 204 overthe WCDMA network 213 and the IP network to the home agent 216 in thehome network 215, a second tunnel is set up from the first mobile router204 over the satellite communication network 212 and the IP network tothe home agent 216 and a third tunnel is set up from the second mobilerouter 207 over the GPRS network 211 and the IP network to the homeagent. It is also possible that two mobile routers have the same type ofaccess, e.g. that both MRs have WCDMA access. According to theinvention, the different external accesses offered by the networks 211,212, 213 can be used simultaneously by the moving network, as will bedescribed later.

There are several reasons motivating why support for simultaneous usageof several accesses would be beneficial in the scenario of FIG. 1:

-   -   It would be possible to handle the dynamic nature of the        external accesses, i.e. the fact that accesses will go up and        down depending on access technology and coverage. By having        multiple simultaneous accesses, the MRs will be able to quickly        move traffic between the different accesses when for instance        one access goes down. According to the invention, moving traffic        can take place both between two accesses of a single MR or        between two accesses of two different MRs.    -   Simultaneous use of multiple external accesses means more        bandwidth to the users of the moving network nodes in the moving        network, which would improve the communication possibilities for        the moving network nodes.    -   Also, to do load-sharing between the different external        accesses, using different load-sharing algorithms, would improve        the performance of the system and the users' system experience.

FIG. 2 shows another exemplary communication system wherein the presentinvention can be used. In this example, the moving network is a PersonalArea Network (PAN). A PAN is a network that wirelessly connectscommunication devices being in the vicinity of a user into a short-rangecommunication network. The PAN is then constituted by the communicationdevices that are within short-range communication distance of eachother. The PAN can for instance comprise the communication devices thatthe user is carrying with him/her or the network within the user'spersonal car. The PAN consists of a switched Ethernet network based onfor instance Bluetooth running the PAN profile. Some of the PAN deviceshave external access facilities. The external access facilities of thesePAN devices can be used by all devices in the PAN to get externalaccess. Thereby, the PAN devices having external access facilitiesfunction as mobile routers for the PAN.

The PAN 101 according to FIG. 2 comprises PAN devices 102-105, fromwhich the two PAN devices 104, 105 have external access possibilitiesand, consequently, act as mobile routers (MRs) for external networkaccess. The MRs 104, 105 are also responsible for mobility management ofthe moving network, i.e. the PAN. The external accesses provided by theMRs can for instance be a cellular phone 104 providing WCDMA access 111and a PDA 105 providing WLAN access 112. These accesses can according tothe invention be available at the same time and the solutions/mechanismsdescribed in this application look into the cases where the PAN hasseveral MRs providing one or several external access each. Compared tothe VAN with multiple MRs shown in FIG. 1, in this example, the MRs inthe PAN have different Home Agents 116, 118. As in the example of FIG.1, the MRs have different address prefixes, which they have receivedfrom their respective home network 115, 117. The MRs are communicatingwith its respective Home Agent (HA) deployed in the respective homenetwork via tunnels setup to the respective home agent for eachavailable external access. The example in FIG. 2 shows that MR1 hasaccess to one tunnel to HA1 116, and that MR2 has access to one tunnelto HA2 118.

The main advantages achieved by having support for simultaneousmulti-access for PANs are:

-   -   Being able to move traffic between accesses (and MRs) when links        go up and down when for instance the user moves out of coverage        for WLAN. This case can also occur if one of the MRs        ‘disappears’ from the PAN, e.g. moves out of Bluetooth coverage        or simply is switched off.    -   That a user of the PAN can select which access and MR to use and        change the selection, e.g. if the user for some reason wishes to        change access and move the traffic from one access to another        (which may also mean moving the traffic from one MR to another).        The reasons for the user to change MR may be, e.g.,        cost-reasons, corporate policy reasons etc.    -   That a greater accumulated bandwidth can be provided for        external network access for the PAN, since traffic can use        different accesses, i.e. some traffic can use for instance the        cellular access and other traffic can use the WLAN access.

As mentioned, this invention deals with the scenario where the movingnetwork has multiple MRs but they are unsynchronized with regards toaddress prefix management. This means that at least one MR in the movingnetwork may be assigned an address prefix different from what another MRin the moving network is using. The MRs may connect to the same HA or todifferent HAs (see FIGS. 1 and 2). An example of an address prefix is aso called mobile network prefix (MNP) as defined in NEMO. The MRs areassigned different MNPs from their respective HA (or they arepre-configured with static MNPs), and they advertise the MNPs into themoving network, i.e. to the MNNs.

An object of the invention is to make it possible for a data packetoriginating from an MNN to be routed over any of the external accessesaccessible from the moving network, also in the case where the datapacket has an originating address with an address prefix different tothe address prefix advertised by some of the mobile routers providingthe external accesses in the mobile network. Then flow managementpolicies could be used for all external accesses of a moving network.Thereby, the external accesses could be used in a more optimal way foreach type of data flow from the moving network, depending e.g. on thetype of data flow and/or the load on each external access. A likelyscenario for this invention is the PAN with multiple MRs scenario,which, as described in FIG. 2, may have multiple MRs using different HAsusing different (unsynchronized) MNPs. Still the devices in a PAN(including the multiple MRs) are under the control of a singleowner/administrator and are thus likely to be synchronized in otherrespects that are internal to the PAN, such as flow management policies.

Today, all MRs in a moving network advertise themselves as defaultrouters to the MNNs in the moving network. The MNN will arbitrarilyselect one of them for sending default route traffic to (which inpractice means most traffic). This may conflict with any flow managementpolicies defined for the MRs, as a certain policy may indicate that thisparticular flow should be routed over a specific external access thatbelongs to another MR than the one the MNN selected.

FIG. 3 shows a schematic block diagram of a communication system whereinthe present invention may be used, including arrows illustrating howaddress prefixes are delegated and advertised in the communicationsystem. FIG. 3 shows a moving network 300 with two mobile routers (MR1and MR2) connecting over tunnels over different external accesses todifferent HAs (HA1, HA2) with different address space originating fromdifferent ISPs (ISP1, ISP2). Assume MR1 has been assigned a first mobilenetwork prefix (MNP_(A)) from its HA (HA1). Also assume that MR2 hasbeen assigned a second mobile network prefix (MNP_(B)) from its HA(HA2). It may also be possible that the MRs have the same HA but stilldifferent address space. MR1 will advertise MNP_(A) to the movingnetwork and MR2 will advertise MNP_(B) to the same moving network. Thus,the MNN 301 will hear two default routers (MR1 and MR2) and it will addthe two prefixes to its prefix list and configure addresses from eachprefix. Consequently, a source address, i.e. an address identifying theorigin of a data packet sent from the MNN, could either be MNN_(A) orMNN_(B). A packet also has a destination address identifying to wherethe packet is destined.

According to the IETF Request For Comments (RFC) 2461, called “NeighborDiscovery for IP version 6 (IPv6)” by Narten et al published December1998, an MNN may arbitrarily select a default router as its primarydefault router to which it will set its default route. It will use thisdefault router for all or almost all traffic, including use of bothsource addresses MNN_(A) and MNN_(B). The MNN is not required toassociate MNN_(A) with MR1 and MNN_(B) with MR2. In FIG. 3, the MNN hasused MR1 as its default router (illustrated by the arrow pointing fromthe MNN to MR1).

In existing communication systems there is a function called ingressfiltering, which is used to stop incorrect or malicious packets frombeing delivered out from a network, e.g. a moving network and further onto the Internet. This is performed by any node in a communication systemby inspecting that the source address used in packets directed towardsthe Internet is topologically correct. The node, e.g. a mobile router ina moving network, knows what address space that is used below itself andonly packets with a source address from that address space is letthrough. In the case of FIG. 3, any of the nodes MR2, HA2 or ISP2 or anyother router in HA2's home network or ISP2's network, may performingress filtering and drop the packet if the source address MNN_(A) isused, because MNN_(A) is derived from MNP_(A) which is not part of theaddress space that MR2's MNP_(B) belongs to. According to today'sstandards for moving network nodes, an MNN will send all its traffic(all its flows) to the same default router, as long as it has notreceived any other routing instructions. This means that the MNN willnot be able to send one flow to MR1 while sending a second flow to MR2.If MR2 receives a packet with the wrong source address, i.e. MNN_(A),the packet is forwarded to MR1 before an external access is selected.The packet will not be filtered out in MR2 because it is as yet onlysent within the moving network.

In the scenario of FIG. 3, the invention aims at making it possible forthe MNN to use the access accessible from MR2 even if the MNN uses thesource address MNN_(A), or generally speaking, the invention aims atmaking it possible to route a data packet originating from the MNN overany external access accessible from any mobile router in the movingnetwork, irrespective of which source address the data packet has. Inother words, this invention allows the MRs of the moving network tofreely select the external access for each data flow between any MNN inthe moving network and any corresponding node in the Internet, so thatthis selection is independent of the source address selected by eachMNN.

To overcome the situation when an MNN has selected one source addressfor a packet, which source address has a first address prefix, but thisfirst address prefix does not match a second address prefix that shouldbe used for the selected external access, it is suggested in thisinvention to provide the data packet with a different source addressused for routing the packet at least to the home agent of the secondmobile router, which different source address has the second addressprefix. This different source address will then be used for transmittingthe data packet over the selected external access, at least to the homeagent of the second mobile router. According to a first embodiment ofthe invention, secondary tunnels set up through the primary tunnels areused. In this case, the different source address will be added to thedata packet by the first mobile router, which different source addressis an address related to the first mobile router but having the addressprefix advertised by the second mobile router. The address related tothe first mobile router may e.g. be a start address for the secondarytunnel set up through the second mobile router over the selectedexternal access having the second address prefix. According to a secondembodiment, network address translation functions are used, e.g. aNetwork Address Translators (NAT). The network address translationfunction provides the data packet with the different source address bytranslating the source address associated with the data packet to anaddress having the second address prefix.

According to the first embodiment, a mesh of secondary additionaltunnels is created between MRs and their HAs over external accesses ofthe other MRs in the moving network which use a different address prefixthan the MRs creating secondary tunnels. These tunnels use the ordinary(primary) already established tunnels between the MRs with the abilityto access the external accesses and their HAs. An MR will establishsecondary tunnels towards its HA using the primary tunnels of all theother MRs that use a different address prefix. The secondary tunnelswill have a start address in the starting point of the tunnel and an endaddress in the end point of the tunnel. Practically, a secondary tunnelis created by creating a logical tunnel interface in the starting pointand in the endpoint. When transmitting a packet through the secondarytunnel, an extra packet header is appended to the original header, whichpacket header comprises the start address and the end address of thesecondary tunnel. Thereby, tunnels inside other tunnels will be used fortransmitting packets, which due to the extra packet header means someadditional overhead. This is illustrated in FIG. 4, which shows the sameexemplary communication system as in FIG. 3 but with the new secondarytunnels set up. The black thick lines 404, 405 show the secondarytunnels, whereas the tubes 406, 407 show the primary tunnels. Assumethat the MNN selects MNN_(A) as its source address for a data packet tobe transmitted to a correspondent node. The MR1 either receives the datapacket directly from the MNN, if the MNN has selected the MR1 as itsdefault router, or it receives the data packet from MR2, if MR2 is thedefault router. In MR1, the external access (Access 2) of the second MR(MR2) is selected. If the packet would be forwarded to MR2 and throughthe primary tunnel of the selected external access, there will beingress filtering problems in MR2. Therefore, according to the inventionMR1 will send the packet over a secondary tunnel to the home agent HA1of MR1, i.e. HA1. This secondary tunnel goes via the selected externalaccess of MR2 and passing by MR2's home agent HA2. Since the secondarytunnel is used, an alternative source address is added to the packet,which alternative source address has the address prefix of MR2. Thealternative source address may for example be the start address of thetunnel. In this case the start address of the tunnel would have the sameaddress prefix as the second mobile router.

FIG. 5 shows a flow chart according to a method of the first embodimentof the invention for an exemplary embodiment with two different mobilerouters, a first and a second mobile router, advertising differentaddress prefixes. The method starts by setting up 501 a primary tunnelover each external access available from the moving network to a homenetwork, from the mobile router that has the ability to access theexternal access to the home agent of that mobile router. Thereafter,secondary tunnels are set up 502, from the first mobile router via thesecond mobile router and the home agent of the second mobile router tothe home agent of the first mobile router, and from the second mobilerouter via the first mobile router and the home agent of the firstmobile router to the home agent of the second mobile router. If themobile router where a secondary tunnel starts is configured not toencrypt packets, one secondary tunnel from this mobile router throughanother mobile router to the home agent of the other mobile router tothe home agent of the mobile router would be sufficient, irrespective ofthe number of external accesses accessible by the other mobile router.Although, if the mobile router where a secondary tunnel starts isconfigured to encrypt packets, one secondary tunnel per external accessaccessible by another mobile router would be necessary all the way fromthis mobile router to the home agent of the mobile router. These twoalternatives will be described more thoroughly further down in thedocument.

A data packet originating from a mobile network node in the movingnetwork and destined to an address external of the moving network isreceived 503 at a mobile router using the same address prefix as theaddress prefix of the source address of the packet, in this example thefirst mobile router. The first mobile router receives the packet eitherfrom a mobile network node directly, or, if the source address prefix ofthe packet was different to the address prefix of the mobile routerfirst receiving the packet, from this mobile router. Then, an externalaccess is selected 504 by the moving network, e.g. by the first mobilerouter, based on e.g. flow management policies. Further down in thisdocument, it is described in an embodiment how this external accessselection can be accomplished. Thereafter, it is detected 505 that thesource address of the packet has a different address prefix than theprefix (or prefixes) advertised by the mobile router that has access tothe selected external access. Then an alternative source address withthe second address prefix is added 506 to the packet. This alternativeaddress is for example added as a new address header embracing theoriginal source address, and used for tunnelling the packet. Thealternative source address may be an address of the first mobile routerbut with the address prefix of the second mobile router.

According to a first alternative, the packet is then transmitted 512through a secondary tunnel from the first mobile router over theselected external access to a home agent of the first mobile router. Dueto the tunnel and its alternative source address, the packet could bedelivered to a home network of a first mobile router via an externalaccess of the second mobile router without being filtered out due towrong address prefix in any intermediate node. The receiving home agentcan then distribute the packet via e.g. the Internet to the recipient ofthe packet.

FIG. 5 also describes a second alternative and a third alternative ofthe first embodiment of the invention. In the second alternative, thepacket is not encrypted by the first mobile router. In that case, thefirst mobile router transmits 507 the data packet via a secondary tunnelfrom the first mobile router to the second mobile router, which secondmobile router selects 508, by inspecting the data packet, the sameexternal access as was selected by the first mobile router. Since thesecond mobile router uses the same flow management policy for theselection as the first mobile router, the same external access will beselected. Thereafter, the packet is transmitted 512 through thesecondary tunnel over the selected access, which secondary tunnel endsin a home agent with the same address prefix as the original sourceaddress of the packet, i.e. the home agent of the first mobile router.Since no data encryption is used by the first mobile router, the secondmobile router and the home agent of the second mobile router has accessto the data in the packets transmitted through the secondary tunnel ofthe first mobile router and can thus make flow management decisions thatare equal to the decisions made by the first mobile router or the homeagent of the first mobile router (if the packet is transmitted in theopposite direction). Therefore, a common secondary tunnel could be usedfor the transmission from the first mobile router to the second mobilerouter, and from the home agent of the second mobile router to the homeagent of the first mobile router for packets that are transferredthrough either of the primary tunnels between the second mobile routerand the home agent of the second mobile router. Similarly, if the packetis transmitted in the opposite direction, a common secondary tunnelcould be used for the transmission from the home agent of the firstmobile router to the home agent of the second mobile router for packetsthat the home agent of the second mobile router transfers through eitherof the primary tunnels to the second mobile router.

In the third alternative, the packet is encrypted by the first mobilerouter. In this case, a secondary tunnel have to be set up for eachexternal access, from the first mobile router over the external accessof the second mobile router via the home agent of the second mobilerouter to the home agent of the first mobile router. The first mobilerouter transmits 509 the packet to the second mobile router through thesecondary tunnel. In the second mobile router, a secondary tunnelcare-of address is analyzed 510 for the second mobile router to detect511, via the secondary tunnel care-of address, over which of itsaccesses the packet shall be routed. Thereafter, the data packet istransmitted over the selected external access via the home agent of thesecond mobile router to the home agent of the first mobile router. Thesecond and third alternatives are described more thoroughly in thefollowing. For example, in the third alternative there is described howthe second mobile router can derive which external access that belongsto each secondary tunnel care-of address.

Below, in connection with FIGS. 6 and 7, is described the option when amobile router has more than one external access. Assume that mobilerouter 1, MR1, has one access type (access A1) and mobile router 2, MR2,has two access types (access A2 and access A3). The accesses do not haveto be of different types. Alternatively, they may also be of the sametype. MR1 and MR2 use different address prefixes and different HAs (HA1and HA2 respectively). The problem and the solution are described fromthe point of view of MR1 delivering a packet. In order to cover allaccess types, MR1 has to be able to tunnel packets through MR2 via eachof MR2's access types, A2 and A3, in addition to the tunnel over its ownaccess, A1. A problem here is that MR2 normally would forward packetsover A2 or A3 based on matching the properties of the outer packet withits policies. MR1 on the other hand, when sending a packet through atunnel via MR2, wants the inner packet of the tunnel to be the one tobase the access selection on.

No Encryption of Secondary Tunnels

In the following, and in connection with FIG. 6, the secondary tunnelsare not encrypted. Encrypting the MR-HA tunnel is optional in MIPv6 aswell as in the NEMO Basic Support protocol. To encrypt a secondarytunnel is equivalent to encrypting a packet sent through a secondarytunnel.

In most cases it may be assumed that the MR-HA tunnel need not beencrypted. Integrity protection is, however, preferable for both the MRand the HA in order to assure that tunnel packets arrive from thecorrect remote tunnel endpoint. When encryption of the MR-HA tunnel isnot required, the solution may be rather straightforward:

-   -   State that an MR should not encrypt a tunnel that goes via        another MR.    -   When an MR discovers an outgoing packet, received from another        MR, constituting (a part of) an unencrypted IP-in-IP tunnel        (i.e. secondary tunnel), the MR (MR2) bases its access selection        on the inner packet, i.e. the original packet sent from an MNN.        This is determined on a packet by packet basis and thus the        solution does not add any state in the MR. (If the MR can        distinguish MR-HA tunnels from other IP-in-IP tunnels, the MR        may restrict the application of this rule to the IP-in-IP        tunnels that are actually MR-HA tunnels. A way for the MR to        distinguish MR-HA tunnels from other IP-in-IP tunnels would be        to learn the tunnel endpoints used for the MR-HA tunnels by        other MRs in the moving network, i.e. the care-of-addresses        and/or home agent addresses that the other MRs use for their        MR-HA tunnels. The MR would then identify a MR-HA tunnel as an        IP-in-IP tunnel, where the source address of an outbound outer        packet matches the learnt care-of-address or the destination        address matches the learnt home agent address of one of the        other MRs in the moving network.)

This solution makes the tunnelled packets be flow managed as if theywere not tunnelled which is more or less ideal. With this solution, MR1can send a Binding Update (BU) message that establishes the tunnel overany access. It does not have to be sent via MR2, although there may bean advantage in doing so, when this solution coexists with the other onedescribed in the following subsection. As seen in FIG. 6, there is onecommon path or tunnel from MR1 to MR2, which divides into two secondarytunnels via each of the two primary tunnels between MR2 and HA2, andthen only one common path or tunnel from HA2 to HA 1. In this figure,the secondary tunnels are shown as black lines, and the primary tunnelsare shown as grey lines, thicker than the black lines.

Encryption of Secondary Tunnels

In the following, and in connection with FIG. 7, the secondary tunnelsare encrypted. The assumption above is used, i.e. that mobile router 1,MR1, has one access type (access A1) and mobile router 2, MR2, has twoaccess types (access A2 and access A3), that MR1 and MR2 use differentaddress prefixes and different HAs (HA1 and HA2 respectively), and thatMR1 is delivering a packet. In this case the MR1 must establish onesecondary tunnel over A2 and one secondary tunnel over A3 in addition tothe primary tunnel over its own access A1. The problem is then how MR1can control which access MR2 sends the tunneled packets over.

The MRs announce their presence and their respective accesses to eachother. This is an on-going process in a moving network, which forexample may be related to a flow management synchronization procedure,or using a separate protocol. Regular IPv6 router advertisements alsoannounce the presence of a router and the prefix(es) it is using, butthey do not indicate that the router is a mobile router (which howevermay be assumed in a moving network) and they do not announce therouter's access(es). When discovering another MR, an MR should find outthe link-layer address (e.g. Ethernet MAC address) that the other MR isusing in the moving network. This can be extracted from the non-prefixpart, i.e. an interface identifier, of the source address of the messagethat announced the presence of the other MR. An alternative way is tosend a Neighbor Solicitation message with said source address as thetarget address and retrieve the link-layer address from the NeighborAdvertisement received in response. Yet a way would be to let theannouncing MR include its link-layer address or home address in theannouncement message. In an IPv6 router advertisement message thelink-layer address is already included in the Source link-layer addressoption (although the router may omit it in certain circumstances).

When announcing the accesses that are in use at a MR, the MR willinclude the accesses in a list (of some form) in a message. In oneembodiment, the order that these accesses appear in the message is usedto control which external access MR2 sends the packet over. Let's assumethat MR2 announces its accesses in the order A2, A3. MR1 now knows thatit has to establish two secondary tunnels via MR2. MR1 then builds twoaddresses with the prefix of MR2 (unless it had already built one inwhich case it builds just one additional address): for example, oneaddress is built in the regular way of building addresses in mobileIPv6: prefix+interface ID, denoted MR1pref2addr1, and the other addressis built of prefix+<random pseudo interface ID>, denoted MR1pref2addr2.Of course MR1 verifies the uniqueness of the addresses through e.g.Duplicate Address Detection (DAD). MR1 then starts to establish thefirst secondary tunnel by sending a Binding Update (BU), using theMR1pref2addr1 as the source address, to its HA (i.e. HA1) via MR2. ButMR1 also uses an Alternate Care-of Address mobility option in themobility header. In this first tunnel establishment via MR2, MR1 insertsMR1pref2addr1 in the Alternate Care-of Address option.

When MR2 receives the BU it recognizes that it is a BU. It then checksthe link-layer address that is associated with the source address of theBU, or the home address of the MR, if the MR has explicitly announcedits home address, in order to find out whether the sender of the BU is aMR or a MNN (remember that a MR stores the link-layer addresses of theother MRs in the moving network). If the sought link-layer address isnot in MR2's neighbor cache, MR2 retrieves it via a NeighborSolicitation/Neighbor Advertisement exchange. When MR2 discovers thatthe BU was actually sent by another MR (i.e. because the link-layeraddress matched one of the previously stored MR link-layer address(es)),it records the properties of the BU in terms of the destination address(i.e. the HA1 address), the source address and the care-of address(extracted from the Alternate Care-of Address option). It determinesthat this is the first BU that it has received from this particularsource address and thus associates this BU with the access that appearedfirst in its access announcement, i.e. A2. MR2 forwards the BU over anyof its accesses (although it is possible that it may be advantageous toforward it over the access with which it has been associated).

When the Binding Acknowledgement (BA) subsequently arrives from HA1, MR2notes that the tunnel is successfully established. MR2 now establishes aspecial state (henceforth referred to as “foreign tunnel state”) forpackets with the recorded care-of address as the source address and theHA1 address (HA1addr) as the destination address. The foreign tunnelstate also includes the source address of the BU (which is also thedestination address of the BA) that was used when the concerned tunnelwas established. Since this is the first foreign tunnel state to beestablished in MR2 with this source address, MR2 associates this foreigntunnel state with the access that appeared first in the announcement ofthe accesses, i.e. A2. MR2 now knows that any packet received fromMR1pref2Addr1 with HA1addr as the destination should be forwarded overaccess A2.

Subsequently, MR2 will monitor the NEMO signaling between MR1 and HA1pertaining to this foreign tunnel state. If this signaling wouldindicate that the tunnel is removed, or that its lifetime is changed,MR2 will treat its foreign tunnel state accordingly (i.e. remove it orchange its lifetime). If A2 would become unavailable and a packetmatching the foreign tunnel state is received (before MR1 has reacted toMR2's announcements of the changed access availability), MR2 will try toinspect the inner packet to make its own flow management choice, butassuming that the inner packet is encrypted, the MR will treat thepacket as its policies stipulate for encrypted packets, e.g. use a loadbalancing algorithm or an arbitrary choice of access. In this example,however, the choice is trivial, since there is only one access left,namely A3. MR1 then proceeds to establish the second tunnel via MR2. Itdoes this by sending a BU with the same source address as the BU for thefirst tunnel, i.e. MR1pref2addr1, but this time with its other address,MR1pref2addr2, indicated in the Alternate Care-of Address mobilityoption.

When MR2 receives this second BU, it goes through the same procedure asdescribed above for the first tunnel establishment. A difference,however, is that this time MR2 discovers that it already has a (one)foreign state with this source address. Hence, it associates the foreigntunnel state resulting from this second BU/BA exchange with the accessthat appeared second in the message that announced the accesses, i.e.A3.

A special case in conjunction with foreign tunnel state creation (andits association with an access) is illustrated as follows: Assume thatMR2 has three accesses (A2, A3 and A4, announced in that order) and MR1has one tunnel associated with each of these accesses. Then the tunnelassociated with A3 for some reason is removed and so is thecorresponding foreign tunnel state in MR2. MR1 wants to replace theremoved tunnel with a new tunnel, so it sends a BU via MR2. MR2determines that it already has two foreign tunnel states with thissource address. If the basic rules described previously are to befollowed, MR2 should now associate this BU (and the subsequentlyestablished foreign tunnel state) with the access that appeared third inthe access announcements, i.e. A4. But there already is a foreign tunnelstate with this source address associated with A4. So the basic rule hasto be modified in order to cover also this special case. A better rule,although trickier to express, is:

“A new foreign tunnel state should be associated with the access thatappeared the earliest in the access announcement out of the accessesthat yet do not have any associated foreign tunnel state with thatsource address. If all accesses already have associated foreign tunnelstates with this source address, no new foreign tunnel state iscreated.”

To reduce the risk of loss of tunnel-access association synchronizationbetween MR1 and MR2 (i.e. that MR1 and MR2 has different views on whichaccess a particular tunnel is associated with) MR2 should consistentlyuse the principle that the relative order of the accesses in theannounced list is not affected by changes in the available accesses.That is, when a new access is added to the list, it should be added atthe end and when an access is removed from the list the relative orderof the remaining accesses in the list should not be affected.

In the following, an alternative is described to the above describedprinciple how to associate secondary tunnel addresses to externalaccesses when the secondary tunnels are encrypted. With this alternativeprinciple, a tunnel-access association is not fixed—it may change if theavailable accesses change. Instead, the following rule governs whichaccess a particular tunnel is associated with:

“Of the tunnels from a certain MR (MR1) (or more precisely: of thetunnels established using a certain source address) via another MR(MR2), the one with the lowest care-of address is associated with theone of MR2's available accesses that appeared first in the latestannounced list of available accesses from MR2. The tunnel with thesecond lowest care-of address is associated with the access thatappeared second in the latest announced list and so forth. That is, thecare-of addresses, ordered by size (when seen as binary numbers), mappedon the latest announced list of available accesses determines thetunnel-access association.”

Apparently, this principle makes the tunnel-access associationmanagement dynamic and MR2 will, if needed, change the foreign tunnelstate associations, when the available accesses change. Likewise, MR1will, if needed, change its tunnel-access associations pertaining totunnels via MR2, when MR2 announces a changed access list.

The above mentioned encrypted and unencrypted embodiments may easilycoexist in the same moving network and in the same MRs. In the exampleabove, this coexistence would have a significant impact only on MR2. Aforeign tunnel is defined as a secondary tunnel that another MR, in thiscase MR1, has established through this mobile router, i.e. MR2. For thisreason, the MR2 must keep a state for this foreign tunnel, called aforeign tunnel state. The state would make it possible for the MR toremember e.g. Binding Updates and Binding Acknowledgements passing forthis tunnel and to map data packets received through the tunnel to theright external access. In a coexistence scenario, MR2 would act asfollows when receiving an outbound packet that matches a foreign tunnelstate:

MR2 first checks whether the inner packet is encrypted. If it is notencrypted, MR2 treats the packet (including access selection) accordingto its regular flow management policies, but based on the inner packet.

If the inner packet is encrypted, MR2 forwards the packet over theaccess that is associated with the matching foreign tunnel state.

With this coexistence solution, it is preferable that a MR using theunencrypted embodiment sends the BU via the other MR that the resultingtunnel should traverse. That way also the tunnels established with theunencrypted embodiment in mind will trigger a foreign tunnel state inanother MR. As a result the other MR will only have to give specialtreatment to those IP-in-IP tunnels, i.e. secondary tunnels that areactually MR-HA tunnels-all other IP-in-IP tunnels can be handledaccording to the regular flow management policies.

An alternative would be to mandate that a MR using the unencryptedembodiment does not send the BU via the MR that the resulting tunnelshould traverse, but instead over one of its own accesses. This wouldavoid creation of foreign tunnel states for MR-HA tunnels that willanyway not be encrypted. This would allow another (intermediate) MRreceiving outbound packets to use the encrypted and unencryptedembodiment exactly as described for each respective embodiment. If anoutbound packet matches a foreign tunnel state, the MR forwards it overthe access that is associated with the foreign tunnel state (this is theencrypted embodiment in its “pure” form)-no additional rules. If anoutbound IP-in-IP packet is received (not matching any foreign tunnelstate) the packet is flow managed based on the inner packet (i.e. theunencrypted embodiment in its “pure” form).

Address Translation

Below is described the second embodiment, which uses network addresstranslation functions, e.g. Network Address Translators (NAT) fortranslating the source addresses to avoid ingress filtering. Asmentioned, an ingress filtering function may be situated in any node inthe network. According to this embodiment, address translation will beaccomplished before the first node performing ingress filtering in theupstream direction, i.e. in the direction from the moving networktowards the Internet. Thereby, the MNN can pick any source address, anda node comprising an address translation function would rewrite thesource address to match a topologically correct prefix of the selectedexternal access.

According to one alternative of the second embodiment, a NAT can beplaced in either a HA or somewhere in the Internet. It is assumed thatwhen the MNN selects a source address it implicitly also selects what HAto use. If the NAT is placed in a Home Agent, the solution is limitedbecause external access cannot be selected arbitrarily as only theexternal accesses that are used for tunnels to the chosen HA (which isdetermined by the selection of source address) can be used forselection. The HA can set a bit (not defined yet) in its BindingAcknowledgement to indicate to the MR that it can perform addressrewrite so that the MR knows that it can send packets with topologicallyincorrect source addresses to it.

According to another alternative, the NAT may be placed in the MRs, i.e.one NAT function in each MR. When an outgoing packet arrives at an MR,and the MR has an address with the same address prefix as the sourceaddress prefix of the packet, the MR selects an external access. The MRthen checks whether the packet's source address topologically matchesthe address of the MR of the selected access. If it does, the MRforwards the packet to the MR of the selected access, which in turnforwards it through one of its tunnels, or the MR sends it through oneof its own tunnels, if the selected access is one of its own. If thesource address does not topologically match the MR of the selectedaccess, then the MR uses its NAT function to replace the source addresswith an address with the prefix of the MR of the selected access, whichmay be another MR or the MR itself. It then forwards the packet to theMR of the selected access, which in turn forwards it through one of itstunnels, or sends it through one of its own tunnels, if the selectedaccess is one of its own. To support this NAT function each MR mustbuild an address for each prefix announced in the moving network. Analternative of using NAT functions in the MRs, is to always use the NATin the outgoing MR, i.e. the MR that is responsible for the selectedaccess. An MR receiving an outbound packet would always forward it tothe selected outgoing MR, unless it happens to be the selected outgoingMR itself, without modifying the source address. The selected outgoingMR would then apply the NAT and translate the source address (if needed)before forwarding the packet over the selected access. This variant doesnot require an MR to build an address for each MNP advertised in themoving network, it is enough to build address(es) for its own MNP(s).

If the selected access would change in the alternatives just presented(e.g. due to change of access availability or change of policies), theongoing sessions between MNNs and their peers on the Internet willbreak. The reason is that the sessions will have a different sourceaddress from the moving network and the peers will not be able to handlethat. Note that the MNNs will not change address, but their NAT or thetranslated address will change.

A first solution to this is to have a NAT function in each HA and ineach MR so that the packets traverse two NATs between the MNN and itspeer. This solution is shown in FIG. 8, in which there are two mobilerouters, MR1, MR2, each having one access, Access1, Access2. In thefigure, NATs are placed in each mobile router and in each home agent,HA1, HA2, to the corresponding MR. The thick line shows the way anexemplary packet is sent through the communication system, which packetis associated with the source address MNN_(A) and to which the externalaccess, Access2, of the second mobile router, MR2, has been selected.The large arrows illustrate that the MRs advertise their MNPs to theMNN. MR1 selects Access2 as external access. Preferably, the NAT in MR1will make a first address translation to an address corresponding to theaddress prefix of MR2. Although, the first address translation may beaccomplished in any of the two MRs or the second home agent, HA2,although, if it is not known in which nodes ingress filtering is to takeplace, it would be preferable to have the first address translation madein MR1. The NAT in the HA that will send the packet through theInternet, HA1 in FIG. 8, will restore the original address (the addressof the MNN), i.e. translate the address back to the original address.When an MR or HA performs the first address translation they will alsoadd an address option to the packet. This address option contains theaddress of the MNN. When the packet reaches the NAT that is to restorethe address, it will be restored to its original form thanks to theinformation available in this address option. This solution requiresthat there is a way to route packets between the HAs for outboundpackets. The translation will be accomplished in the HA, HA1, thatbelongs to the original source address of the packet, while the packetwill reach the HA, HA2, that is the end-point of the tunnel over theselected access that was used from the moving network. A mesh of tunnelsbetween home agents can be used for this. The routing into the tunnelswill be based on the address option rather than the destination address.The benefit from this approach is that the packet will be restored, sothat it does not cause the session to break if the access changes, andthat the packet will traverse the topologically correct HA correspondingto the address of the MNN. The solution is in other words transparent tothe MNN and the CN. This solution handles the generic case where thereis an assumption that there may be an ingress filtering router somewhereon the path (e.g. an MR or an HA in this case) and for that reason thepacket has to be rewritten. If that assumption is false, i.e. there isno ingress filtering router on the path, then a simpler solution is toavoid the two NATs altogether. The mesh of tunnels between HAs isneeded, though.

A second solution is to introduce a number of Home Agent independentNATs somewhere centrally on the Internet. This is shown in FIG. 9, whichshows the same exemplary scenario as in FIG. 8, i.e. where a packethaving a first address, MNN_(A), is to be sent over an access of thesecond MR, MR2. In FIG. 9, the address is translated in the NAT of MR1and then translated back to the original address in a centrally placedNAT, C-NAT. All HAs will establish any cast uni-directional tunnels tosuch central NATs for outbound traffic that has been address translatedby an MR. When an MR creates an address below another MR's prefix to beused for address-rewriting, it will, according to one embodiment of thesolution, create a special form of address. The lower e.g. 64 bits willcomprise: some format bits in a unique combination indicating C-NATaddressing; some bits indicating an anycast address of the central NAT;and finally some bits for generating a unique address in case there aremultiple MRs building an address from this prefix. When an outboundpacket reaches the HA2 in FIG. 9, after decapsulation, the HA2 willinspect the source address of it. If this address has a lower 64 bitscontaining special format indicating C-NAT addressing, the HA2 will takethe anycast bits and expand them to a full anycast address. The packetwill then be tunneled to this anycast address. When the packet reachesthe central NAT at the anycast address, the source address will berewritten again to the public address of the central NAT. By thismethod, if all MRs in a moving network use the same central NAT, to theCN, the MNNs will always have a stable address, independent of accesschanges. Another benefit from this method is that HAs do not have to becoordinated.

FIG. 10 shows a flow chart according to a method of the secondembodiment of the invention for an exemplary embodiment with twodifferent mobile routers, a first and a second mobile router,advertising different address prefixes. The method starts by setting up1001 a primary tunnel over each external access available from themoving network to a home network, from the mobile router that has theability to access the external access to the home agent of that mobilerouter. A data packet originating from a mobile network node in themoving network and destined to an address external of the moving networkis received 1002 at a mobile router using the same address prefix as theaddress prefix of the source address of the packet, in this example thefirst mobile router. The first mobile router receives the packet eitherfrom a mobile network node directly, or, if the source address prefix ofthe packet was different to the address prefix of the mobile routerfirst receiving the packet, from the mobile router first receiving thepacket. Then, when a packet is to be routed to an external address, anexternal access is selected 1003 by the moving network, e.g. by thefirst mobile router, based on e.g. access selection policies. Furtherdown in this document, an embodiment is described how this externalaccess selection can be accomplished. Thereafter, it is detected 1004that the source address of the packet has a different address prefixthan the address of the mobile router that has access to the selectedexternal access, e.g. the second mobile router. Then the source addressof the data packet is translated 1005 to an alternative source addresshaving the address prefix of the second mobile router, and the datapacket is transmitted 1006 via the selected external access to the homeagent of the second mobile router, called the second home agent.Thereby, the packet could be delivered to a home network without beingfiltered out due to the wrong address prefix in any intermediate node.The step of translating 1005 may be accomplished in any of the first orthe second mobile router, as long as ingress filtering is not performedbefore the address is translated. The receiving home agent can thendistribute 1011 the packet to the recipient of the packet.

Alternatively, to cater for the case where the selected access wouldchange during an ongoing session, e.g. due to change of accessavailability or change of policies, the method may proceed according totwo alternatives described below. According to the first alternative,the second home agent would transmit 1007 the data packet to the homeagent of the first mobile router (first home agent) in a tunnel set upbetween the two home agents, and the first home agent would translate1008 the alternative source address back to the original source addresswith the original address prefix, before the packet is distributed 1011to the recipient of the packet. According to the second alternative, thesecond home agent would transmit 1009 the data packet to a central nodeon e.g. the Internet with the ability to translate addresses associatedwith data packets. The packet would be transmitted through a tunnel setup between the second home agent and the central node. Then, the centralnode would translate 1010 the alternative source address back to theoriginal source address with the original address prefix, before thepacket is distributed 1011 to the recipient of the packet.

The two embodiments described, i.e. the secondary tunnel embodiment andthe address translation embodiment, have the vision in common that theaccess selection and tunneling to the Home Agents should be completelytransparent to the MNN and its CN. If the MNN selects MNN_(A) as itssource address, the packet should enter the Internet through ISP1. Thiscan be achieved both with tunnels or NATs. Tunneling and/or forwardingbetween the MRs and the HAs is used to deliver the packets to thecorrect HA over the selected access. The NAT functionality can be seenas a tunnel-reduction mechanism. The meshed tunnel option contains stateper packet, while the NAT option contains state in the nodes in thenetwork instead.

FIG. 11 shows a mobile router 1100 according to an embodiment of thepresent invention. The mobile router comprises:

-   -   An internal communication means 1101, arranged for receiving        data packets and information from MNNs and other MRs in the        moving network and for sending packets and information to MNNs        and other MRs in the network;    -   A processor 1102 arranged for:        -   selecting external access for routing data packets based on            information in the data packets and other information            relevant for external access selection;        -   detecting that a source address associated with a data            packet has an address prefix that is different to the            address prefix of the mobile router used for accessing the            selected external access;        -   providing a data packet with an different source address            used for routing the packet to the home agent of the second            mobile router, which alternative source address has the            second address prefix;    -   and    -   An access means 1103 arranged for accessing at least one first        external access, over which at least one first external access        one primary tunnel each is set up to a home agent of the mobile        router, and for transmitting a data packet over the at least one        first external access means.

According to the first embodiment of the invention, the processor 1102may further be arranged for:

-   -   setting up secondary tunnels over each of the external accesses        accessible from a second mobile router, from the mobile router        via the second mobile router, the external access accessible        from the second mobile router and the home agent of the second        mobile router to the home agent of the mobile router;    -   and wherein the processor 1102 is arranged for providing a data        packet with a different source address by being arranged for        adding an address related to the mobile router but having the        second address prefix to the data packet.

According to the second embodiment of the invention, the processor 1102may further be arranged for:

-   -   translating the source address associated with the data packet        to an address having the second address prefix. For this reason        the mobile router may be equipped with a Network Address        Translator (NAT) function.

The mobile router may also be equipped with a memory 1104 for storinginformation about external accesses in the network and informationinfluencing the selection of external access, such as access selectionpolicies and flow states regarding access selections for previouslyrouted packets.

Below is described an embodiment for selecting external access overwhich a data packet is to be routed to a home agent, which embodimentmay be used in the invention. For achieving the best use of the externalaccesses in the moving network, the mobile routers in the network haveinformation about each other's external accesses; each mobile router hasinformation regarding e.g. which external accesses the other mobilerouters in the moving network have, which capacity the external accesseshave, the momentary status of the external accesses etc. Thisinformation has been transmitted from and received by all MRs of amoving network. When required, for example when a type of informationhas changed, this information is exchanged between all the MRs such thatall MRs have the same information regarding the external accesses in themoving network, i.e. the information regarding the external accesses inthe moving network is synchronized among the mobile routers in themoving network. A synchronization may also take place on a periodicalbasis. When a data packet originating from an MNN is received in amobile router having the same address prefix as the source addressprefix of the packet, the mobile router will select one of the externalaccesses in the network based on flow management policies which havebeen synchronized among the mobile routers. These policies may statethat e.g. the information about the external accesses and information inthe data packet should be used for making access selection decisions.When required, the selection is also based on configuration and accessselection policies in the MRs, which policies are also synchronizedbetween the MRs. Since the external access information and the policiesare synchronized, all MRs will make the same routing decision and,consequently, select the same external access for a packet. Theinformation in the data packet that is used for the selection may forexample be a flow identification (i.e. which data flow a data packetbelongs to), such as source and destination IP address plus one of:

-   -   source and destination port number plus protocol number,    -   flow label, or    -   Security Parameter Index (SPI) and protocol number, which in        this case will indicate a security protocol such as        Encapsulating Security Payload (ESP) or Authentication Header        (AH).

The step of selecting external access also comprises reading theinformation in the data packet to detect whether the data packet belongsto an already recorded flow. For this reason, the MR has recorded andstored a state of any previous packet of the same flow (se below), thestate comprising routing decision and flow ID. This detection takesplace by e.g. comparing the flow ID of the data packet to flow IDsstored in a database in the mobile router. If the data packet belongs toan already recorded flow, the selection will be done according to arouting decision made for a previous packet of the already recordedflow. For this reason, the access selection for the previous packet wasrecorded and stored in the mobile router as a flow state comprising flowidentification and routing decision.

If the packet belongs to a previously not recorded flow, the MR will, inaddition to using external access information, select access based onaccess selection policies configured in the MRs. Such policies may, forexample, have been pre-configured by the MR operator or the MNN user,such as subscription profiles, access classifications and selectionprinciples. Other policies will change dynamically, such as load-sharingalgorithms etc. An access selection policy may also be of the type:

-   -   To aggregate the throughput of the different accesses to improve        the access throughput experienced by the MNNs.    -   To apply load-sharing policies to make the most efficient use of        the available access resources (e.g. to maximize the end-user        experience).    -   To differentiate MNNs e.g. based on subscription profiles.    -   To differentiate flows e.g. based on application.    -   To provide redundancy, e.g. using one of the available accesses        as a backup that is activated only when the other        access/accesses is/are broken.

For all MRs to make the same decision given the same input, the accessselection policies are also synchronized between the MRs, when required,for example when a policy has changed.

As mentioned above, for a packet belonging to a previously unidentifiedflow, the MR will create and store a state for the flow, which statecomprises the routing decision and a flow identification. According toan alternative embodiment of the invention, the flow state can also betransmitted to other mobile routers such that the flow state issynchronized between the MRs. Thereby, it will be assured that the MRswill make the same routing decision even if packets are received atdifferent MRs.

In the embodiment for selecting external access, according to onealternative solution, the Home Agent will perform an identical flowclassification as the MRs, when receiving tunnelled packets from an MR.The Home Agent will create a state for this flow and also store areference to the tunnel over which this packet was received. Whenpackets routed in the opposite direction are received by the HA, the HAwill attempt to classify the flow. If a packet is found to belong to apreviously known flow, the HA will forward it over the same tunnel aswas recorded in the state of the flow. If the flow is unidentifiable,the HA will not take any decisions but simply forward it over theprimary tunnel or a default tunnel towards the MR. The HA will notcreate any state for such an unidentifiable flow, but instead wait forthe MR's decision, which will be indicated in the form of a packetbelonging to the same flow in the opposite direction. This packet mayarrive through the same tunnel as the HA chose or through anothertunnel, i.e. the tunnel selection is entirely up to the MR, and the HAwill follow this decision. This mechanism will make the MR make allforwarding decisions for all flows to and from the MNNs. The HA willsimply follow the MR's decisions and make sure the return traffic isforwarded via the same tunnel (and thus the same access). An MR may alsoexplicitly instruct the HA what tunnel to use for the downlink part of aflow. This allows a flow to use asymmetric links for the uplink and thedownlink parts.

As an alternative to the embodiments of the invention described abovefor being able to use any of the external accesses accessible from anyof the MRs for routing data, even though the mobile routers areunsynchronized with regard to access prefix, is to notify the MNN thatit has made a non-preferred source address selection. This notificationwould be sent if the address of the MR that has access to the selectedexternal access has a different address prefix than the source addressof the packet sent form the MNN. With this approach it is actuallypossible for the moving network (e.g. the MRs) to control the previouslydiscussed arbitrary source address selection problem. If the MNN happensto select a source address that doesn't match the external accessselection, one of the MRs, e.g. the default router that MNN uses, cansend a notification to tell the MNN to use another source address. Thedrawback with this alternative is that new functionality would benecessary to incorporate into the MNNs, for the MNNs to know how tohandle such a notification. Another drawback is that if external accessfor some reason has to be change during a session, the session will bedropped.

According to above embodiments, when a receiving MR receiving anoutgoing packet from an MNN has an address with a different addressprefix than the source address of the packet, the packet will beforwarded to a selecting MR with the same address prefix as the sourceaddress of the packet, and an external access selection will beaccomplished in MR with the same address prefix. To avoid suchredirection loops, it is suggested, according to an alternativeembodiment of the invention, that the receiving MR sends a redirectmessage back to the MNN to instruct the MNN that for subsequenttransmission of packets to the particular destination, the MNN shoulduse a next hop towards the selecting MR. The next hop is the link-localIPv6 address of the selecting MR. This will reduce the number of hops byone as subsequent packets will be sent directly to the selecting MR andnot via the receiving MR. The redirect message may be an InternetControl Message Protocol (ICMPv6) for the Internet Protocol Version 6(IPv6) Redirect message, which is described in “Internet Control MessageProtocol (ICMPv6) for the Internet Protocol Version 6 (IPv6)”, by A.Conta et al., published on the Internet as RFC 2463 in December 1998.

The invention makes it possible for a data packet originating from amobile network node in a moving network to be routed over any of anumber of external accesses accessible from different mobile routers inthe moving network, even though the mobile routers advertise differentaddress prefixes to the mobile network nodes.

Also, a person skilled in the art would understand that the abovedescribed methods can also be used for routing packets in the otherdirection, i.e. from the network, e.g. the Internet, via a home networkand a mobile router before it eventually ends up at a mobile networknode in a moving network.

In the drawings and specification, there have been disclosed preferredembodiments and examples of the invention and, although specific termsare employed, they are used in a generic and descriptive sense only andnot for the purpose of limitation, the scope of the invention being setforth in the following claims.

1-28. (canceled)
 29. A method in a communication system for routing adata packet from a mobile router of a moving network to a home agent ina home network related to the moving network, said data packetoriginating from a moving network node in the moving network, whereinthe moving network includes a first mobile router that accesses a firstexternal access and a second mobile router that accesses a secondexternal access, said method comprising the steps of: setting up by thefirst mobile router, a primary tunnel over the first external access toa home agent of the first mobile router; setting up by the second mobilerouter, a primary tunnel over the second external access to a home agentof the second mobile router; advertising by the first mobile router, afirst address prefix; advertising by the second mobile router, a secondaddress prefix; receiving the data packet by the first mobile router,said data packet having a source address having the first addressprefix; selecting the second external access for routing the data packetto the home agent of the second mobile router; detecting that the sourceaddress of the data packet has an address prefix different from theaddress prefix advertised by the second mobile router; providing thedata packet with a different source address usable for routing the datapacket to the home agent of the second mobile router, said differentsource address having the second address prefix; and transmitting thedata packet via the selected external access to the home agent of thesecond mobile router.
 30. The method according to claim 29, wherein thestep of transmitting the data packet includes: setting up a secondarytunnel from the first mobile router via the second mobile router, thesecond external access, and the home agent of the second mobile routerto the home agent of the first mobile router; wherein the step ofproviding the data packet with a different source address comprisesadding to the data packet, an address related to the first mobilerouter, said address related to the first mobile router having thesecond address prefix; wherein the step of transmitting the data packetto the home agent of the second mobile router comprises transmitting thedata packet through the secondary tunnel to the home agent of the secondmobile router; and wherein the method further comprises the step oftransmitting the data packet through the secondary tunnel from the homeagent of the second mobile router to the home agent of the first mobilerouter.
 31. The method according to claim 30, further comprisingdetermining by the second mobile router, whether the data packet isencrypted by the first mobile router.
 32. The method according to claim30, wherein the second mobile router also accesses a third externalaccess, and the step of selecting includes selecting the second externalaccess by the second mobile router after receiving the data packet fromthe first mobile router through the secondary tunnel, wherein thesecondary tunnel uses the primary tunnel set up over the second externalaccess.
 33. The method according to claim 30, wherein the second mobilerouter also accesses a third external access, and the step of selectingincludes selecting the second external access for routing the datapacket to a home agent, wherein the at least one secondary tunnelcomprises a first secondary tunnel set up over the second externalaccess and a second secondary tunnel set up over the third externalaccess when the data packet is encrypted by the first mobile router, thefirst secondary tunnel having a first secondary tunnel care-of addressset by the first mobile router and the second secondary tunnel having asecond secondary tunnel care-of address set by the first mobile router,the step of transmitting comprising the steps of: transmitting the datapacket to the second mobile router through the first secondary tunnel;analyzing the first secondary tunnel care-of address in the secondmobile router; detecting from the first secondary tunnel care-ofaddress, that the data packet is to be transmitted through the secondexternal access; and transmitting the data packet via the home agent ofthe second mobile router to the home agent of the first mobile routerthrough the first secondary tunnel.
 34. The method according to claim33, further comprising, before the step of providing the data packetwith a different source address, the steps of: sending data from thesecond mobile router to the first mobile router comprising informationregarding the second and the third external accesses, wherein the secondand the third external accesses appear in a certain order in the data;setting up a secondary tunnel for each of the second and the thirdexternal accesses; and associating each secondary tunnel with a uniqueone of the second and the third external accesses, the associationsbeing set up such that the order in which the secondary tunnels are setup matches the order in which the second and the third external accessappear in the data.
 35. The method according to claim 33, furthercomprising, before the step of transmitting the data packet to thesecond mobile router, the steps of: sending data from the second mobilerouter to the first mobile router comprising information regarding thesecond and third external accesses, wherein the second and the thirdexternal accesses appear in a certain order in the data; setting up asecondary tunnel for each of the second and the third external accesses;and associating each secondary tunnel with a unique one of the secondand the third external accesses, the associations being set up such thatthe order of the secondary tunnel care-of-addresses matches the order inwhich the second and the third external accesses appear in the data,wherein the order of the secondary tunnel care-of-addresses refers tothe order of the care-of-addresses' data representation interpreted asnumbers.
 36. The method according to claim 29, wherein the step ofproviding the data packet with a different source address comprisestranslating the source address of the data packet to a second sourceaddress having the second address prefix and wherein the translating isaccomplished in one of the first mobile router and the second mobilerouter.
 37. The method according to claim 36, further comprising thesteps of: transmitting the data packet from the home agent of the secondmobile router to the home agent of the first mobile router; andtranslating the second source address to the source address having thefirst address prefix.
 38. The method according to claim 36, furthercomprising the steps of: transmitting the data packet from the homeagent of the second mobile router to a node on the Internet with theability to translate addresses associated with data packets; andtranslating the second source address to the source address having thefirst address prefix.
 39. The method according to claim 29, wherein thefirst mobile router and the second mobile router have informationregarding the first external access and the second external access, andwherein the step of selecting is based on information in the datapacket, on the information regarding the first and the second externalaccess, and on access selection policies stored in the first mobilerouter and the second mobile router, the method further comprising thestep of: synchronizing the access selection policies and the informationregarding the first external access and the second external accessbetween the first mobile router and the second mobile router.
 40. Themethod according to claim 39, wherein the step of selecting comprisesthe steps of: reading the information in the data packet to detectwhether the data packet belongs to an already recorded data flow: if thedata packet belongs to an already recorded data flow: making a routingdecision for the data packet according to a routing decision stored in aflow state for the already recorded data flow and according to theinformation regarding the first external access and the second externalaccess, and if the data packet belongs to a flow that has not beenrecorded: making a routing decision for the data packet according toaccess selection policies and according to the information regarding thefirst external access and the second external access; and recording aflow state for the flow that the data packet belongs to, said flow statecomprising the routing decision and a flow identification.
 41. Acommunication system for routing a data packet from a mobile router of amoving network to a home agent in a home network related to the movingnetwork, said data packet originating from a moving network node in themoving network and said data packet having a source address having afirst address prefix, said system comprising: a first mobile router inthe moving network for accessing a first external access and setting upa primary tunnel to a home agent of the first mobile router, wherein thefirst mobile router advertises the first address prefix; a second mobilerouter in the moving network for accessing a second external access andsetting up a primary tunnel to a home agent of the second mobile router,wherein the second mobile router advertises a second address prefix;means for selecting the second external access for routing the datapacket to the home agent of the second mobile router; means fordetecting that the source address of the data packet has an addressprefix different from the address prefix advertised by the second mobilerouter; means for providing the data packet with a different sourceaddress usable for routing the data packet to the home agent of thesecond mobile router, said different source address having the secondaddress prefix, and means for transmitting the data packet via theselected external access to the home agent of the second mobile router.42. The communication system according to claim 41, wherein a secondarytunnel is set up from the first mobile router via the second mobilerouter, the second external access, and the home agent of the secondmobile router to the home agent of the first mobile router, wherein themeans for providing the data packet with a different source addressincludes: means for adding to the data packet, an address related to thefirst mobile router, said address related to the first mobile routerhaving the second address prefix: wherein the means for transmitting thedata packet transmits the packet to the home agent of the second mobilerouter through the secondary tunnel; and wherein the means fortransmitting the data packet transmits the packet through the secondarytunnel from the home agent of the second mobile router to the home agentof the first mobile router.
 43. A first mobile router of a movingnetwork in a communication system, the first mobile router for routing adata packet originating from a moving network node in the moving networkto a home agent in a home network related to the moving network, whereinthe first mobile router comprises: means for accessing a first externalaccess over which a primary tunnel is set up to a home agent of thefirst mobile router, and for transmitting a data packet over the firstexternal access means; communication means for receiving a data packetoriginating from a moving network node from the moving network; whereinthe communication means includes means for communicating with a secondmobile router in the moving network, the second mobile router accessinga second external access over which a primary tunnel is set up to a homeagent of the second mobile router; wherein the first mobile router isassociated with an address having a first address prefix, and the secondmobile router is associated with an address having a second addressprefix, wherein the received data packet originating from the movingnetwork node has a source address having the first address prefix; meansfor selecting the second external access; means for detecting that thesource address of the data packet has an address prefix different fromthe address prefix of the second mobile router; means for providing thedata packet with a different source address usable for routing the datapacket to the home agent of the second mobile router, said differentsource address having the second address prefix; and wherein thecommunication means transmits the data packet to the second mobilerouter.
 44. The first mobile router according to claim 43, furthercomprising: means for setting up a secondary tunnel from the firstmobile router via the second mobile router, the second external access,and the home agent of the second mobile router to the home agent of themobile router; wherein the means for providing includes means for addingto the data packet, an address related to the first mobile router, saidaddress related to the mobile router having the address prefix of thesecond mobile router; and wherein the communication means transmits thedata packet through the secondary tunnel to the second mobile router.45. The first mobile router according to claim 43, wherein the means forproviding includes means for translating the source address of the datapacket to a second source address having the prefix of the second mobilerouter.
 46. A computer program loaded on an internal memory of a digitalcomputer device residing in a first mobile router of a moving network,said first mobile router accessing a first external access, saidcomputer program comprising software code portions for performing thefollowing steps when the computer program is run on the digital computerdevice: advertising by the first mobile router, a first address prefix;receiving a data packet originating from a moving network node in themoving network, said data packet having a source address having thefirst address prefix; and routing the data packet to a home agent in ahome network related to the moving network, said routing stepcomprising: setting up by the first mobile router, a primary tunnel overthe first external access to the home agent of the first mobile router;selecting a second external access for routing the data packet to a homeagent of a second mobile router, wherein the second mobile routeraccesses a second external access and advertises a second addressprefix; detecting that the source address of the data packet has anaddress prefix different from the address prefix advertised by thesecond mobile router; providing the data packet with a different sourceaddress usable for routing the data packet to the home agent of thesecond mobile router, said different source address having the secondaddress prefix; and transmitting the data packet via the selectedexternal access to the home agent of the second mobile router.